SAR guidance consultation - Batch 11-20 - Response 19 


Answer to question 1 


Data subjects can issue SARs simply to be malicious resulting in huge cost 
to the organisation due to the time and effort required to process these 
requests. Also, data subjects can request info that has already been 
provided to them - they can then request this info again - these requests 
cost the organisation money to process. The SAR process should allow 
companies to charge to process SARs where the data subject has been 
sent the information previously. For example employment documentation 
[contracts, time-sheets, payslips....] - where the employee has been sent 
this info the company should be allowed to charge for this or reject the 
response. Also, where a company reasonable suspects that a request is 
purely malicious - designed to cuase harm to to the company the 
company should be able to reject the request or charge a fee. Where the 
data subject simply requests all the data a company holds about them the 
company should be allowed to request further information to reduce the 
effort required. There is an imbalance between the data subject that can 
simply say ‘send me everything’ which takes a few seconds and costs 
them nothing - and then the response from the company that can take 
many hours and involve huge costs. This imbalance leads to malicious 
requests.... Regulations should allow a company to reject malicious SARs 
designed to extract compensation - data subjects are increasingly aware 
that sending a SAR to a company will result in significant time and effort 
for the company. There is already evidence of social media groups 
encouraging individuals to issue SARs simply to extract 

compensation. Companies should be allowed to reject these claims / 
SARs. ICO should offer an arbitration service - where a company believes 
a SAR is malicious the company should be able to refer the SAR to an 
independent arbitrator. 


